Spam, Spam and more spam

I shouldn’t joke about spam as it is quite a problem with buddypress. I’ve tried so many things and I am out of ideas. In this Forum there are lots of suggestions but everyone still seems to be SOL or just hanging on.

But it only shows on the comments and NOT on the registration page itself. It’s been “modified” to work with BP, but I can’t get it to work. Again, slave labor can overcome this one quite easily. Think I am kidding about the slave labor: http://ha.ckers.org/blog/20080311/human-captcha-breaking/

Guess what, still getting spam. Loads of it too. You would think a little core hacking would throw them off. Tsk tsk…. not these bots/humans. A little tip here for the changing of the slug and the code you add to the config files – Don’t forget to put the define statements BEFORE the STOP EDITING HERE LINE in the config.php. That had me and others scratching our heads for a while.

Yeah why don’t we just go ahead and give the user a puzzle via snail mail and they can can send smoke signals once they get it. Or better yet just send them a link to Facebook and save everyone some headache. This MAY work but it is too much to ask of a user.

You can try banning IPs but an .htaccess tidbit or by using most of the plugins above. But IPs are a dime a dozen to spammers and thats a total waste of time if you ask me.

In Summary:

Short of rewriting the registration page and my own plugin for spam I am at a loss. Any tips would be helpful. Hopefully this post will help some others with the same problem. Sorry for the sarcasm but it’s how I survive the insanity.

I never had spam on my main site, until now. The invisible-defender plugin doesn’t help at all and clashes with Beau Lebens’s wp-email-login plugin. Haven’t had time to try any of the other solutions yet. It’s now after midnight, deadlines tomorrow, wasting time deleting spam accounts…

Then I activate the plugin. It should keep spam bots from being able to create accounts, but humans spammers can still do it. Anyway, if you can’t get it to work, let me know via PM and I will try to send you the file.

@guristu: WOW – that sounds very promising, I always found the hashcash-plugin a very good and simple solution. Why not sending your “hack” to the developers, so that they can update their plugin-version for all the future bp-users

A good idea is to change the signup slug to something else. This will help significantly. Also, if you don’t need to provide blog registrations, then turn this option off.

The problem with bundling a solution in the core is spammers will eventually get around this and it will become useless. The best way to fight spam is to have something unique on your site that stops them in their tracks. A completely unique signup slug is a good way of doing this.

I wholeheartedly agre with @andy. It’s an age old debate between making it as simple as possible to register and become a member and requiring some unique information that not only serves your purpose well but adds an extra layer to the process that fights spam.

We have been running our prod site since BP was in alpha (Nov ’08 – crazy, I know) but have had only 2 spam registrations. Both were from Russia and both seemed pointless. But we banned the domain in the WP backend and have had none since. We have not even changed our signup slug.

That said, we require 5 fields on registration, 3 are drop downs and we don’t allow blog registration (we’re building a community not a blog network)

On a side note: We ran reCaptcha flawlessly for 6 months. We disabled it as an experiment to see if we could avoid that extra step (plus reCaptcha words are damn hard to read) and have not had spam since. fingers crossed.

@Gp01 My contribution to the plugin is minor and does not justify releasing it as a plugin. However, I am working on something based on the same “proof of work” idea and that may turn into a plugin. In the meantime, my little hack looks like it’s holding its ground.

I agree with Andy. Changing the slugs to something unique is not only a good idea but it also should be a requirement. However, that requires that you know your way around BP so that when you upgrade you don’t go back to defaults. Hey! I just gave myself an idea: dynamic slugs for BP components — a plugin or something that would give the admin an easy way to set the slugs to whatever they want. That would be something…

@andy I have been meaning to ask you: how do I get a BP module to register as a site wide plugin so that it shows up in the site wide plugins list? BuddyPress and the example module register as site wide plugins but my own module doesn’t — it activates as a regular plugin that has to be activated for each blog within wpmu. I have followed the example model step by step. Is there some magic line of code that I’m missing?

@David that’s what wp-hashcash does. it adds a hidden form field whose value is set only via JavaScript when the page loads in the browser. if the browser is a bot, the value of the field will not be set because bots usually do not have JavaScript capabilities. It isn’t the field itself that makes the difference, it’s what it contains that enables you to tell a human from a bot.

@guristu Right… but can bots submit drop down values? For instance, I have a drop down for “Training Level” which is a required field. If it’s left at “please select”… the form will return a required field error.

The short answer is Yes. The long one is they are made for filling out forms and submitting them. A drop-down is just a field that they might encounter, so expect the functionality. On the other hand we are talking here about bots that look for WP/MU installations to exploit the default sign up or comment forms. As a rule of thumb, anything that you can do to change the default behavior, do it. It’s like Andy said: if you make it the default, the spammers will figure out a way to get around it.

Also: try very hard to stay away from the following in your URLs: wp-signup.php, wp-register, register, wpmu, wp, and anything that hints at a wordpress installation.

The best trick I learned for fighting spam bots is to ask a question that only a human can answer and making them type it into a text box. If you change the question daily or randomize it, it makes it even tougher. Don’t do anything like math or captcha or something that a bot can calculate or decipher. Ask a question like “What color is snow?” or “How many sides does a triangle have?”

I started the group for splogging and spam a while ago, but to be honest I haven’t experienced any for quite a while now.

@andy‘s right about changing the signup slug, that made a big difference for me. I also renamed (removed) the wp-signup.php file as that’s not in use, and again that made a difference – though watch for that on a wpmu / wp upgrade as it’ll replace the file.

I removed the WordPress references in my theme footer too, just to make it a little less obvious that I’m running WP.

Also running SI-Captcha antispam and NoSpamNX, but that’s about it nowadays.

Rewriting the slug works for me. @andy, would it be possible to have the slug name not in wp-config, but as an option under BP options? Or even as a required step when activating/installing BP? That way, everybody will create their own slug and all should be happier to use BP